Description
After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s).
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.15.6
- Patched version(s): 5.15.8
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - CVE-2025-64765
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Astro allows unauthorized third-party images in _image endpoint - CVE-2025-55303
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on November 19, 2025